encrypting passwrd on JSP page

Looking to encrypt user's passwords, but really I need a way to do it at the JSP level. I've written a basic class which a Servlet can call, but this is pointless because surely the pasword would still be passing from JSP to Servlet in plain text and only getting encrypted once recieved (bit pointless)

I need to be able to encrypt the password when the user clicks 'login'.

I have seen a few dodgy ways to do this, but really I want to use some sort of standard Java way, because I will need to be able to match the encrypted password with the encrypted password sorted from registration.

Originally posted by Keith Seller: Looking to encrypt user's passwords, but really I need a way to do it at the JSP level.

This makes little sense. JSP executes on the server in order to format the HTML page sent to the browser. Once sent to the borwser, all JSP-ness is gone. So there's no executing any JSP code when the user clicks Login. Perhaps this article might be instructive.

The conventional way to encrypt when submitting from the browser to the server is via SSL.

Where do you see the practical difference between doing the encryption in the JSP and a servlet? Both are executed on the server (and JSPs are compiled into servlets anyway).

If you're concerned about clear-text transmission, make sure the connection is using HTTPS (which you should do anyway wherever passwords are involved). [ November 01, 2007: Message edited by: Ulf Dittmer ]

As pointed out above, use HTTPS to transmit password securely, but rather than looking at encrypting it, you should be hashing it. That way there is no way of retrieving the users password and makes non-repudiation easier, however all this comes at a cost, If you ever want to migrate users to a new system with its own password management (i.e. move to LDAP) you will have a harder time migrating the users accounts.

Kevin P Smith
Ranch Hand

Joined: Feb 18, 2005
Posts: 362

posted Nov 01, 2007 10:49:00

0

I'll rephrase the question.

When I say JSP i mean the physical JSP page which contains HTML, I don't want to POST plain txt accross from this to the Servlet (unless it considered safe to do this?).

I think you are confusing the JSP, which gets compiled into a servlet and runs on the server to generate a page, with the page the JSP generates, which can only run JavaScript. [ November 01, 2007: Message edited by: Ed Thompson ]

Even if the voices <i>aren't</i> real, they still have some good ideas!

As pointed out in this earlier, use SSL, if you use client side encrytpion/hashing and send it in cleartext(http) you are achieving nothing, as the hashed/encrypted password is now the system password!!! Once someone intercepts the request, they can resend the hashed password to gain acess to the system at any time, making your efforts invane, SSl is the only way for this one!!